Sye-Loong Keoh, Ken Wai-Kin Au

School of Computing Science

University of Glasgow

Zhaohui Tang

School of Infocomm

Republic Polytechnic, Singapore

Securing Industrial Control Systems An E2E Integrity Verification Approach

1

• Industrial Control Systems (ICS) are used to monitor and

control industrial facilities and processes:

– Power Grid: generation, distribution, load balancing and billing

– Chemical and Nuclear Plant: control of safety critical processes.

– Gas and Water Facilities: collect measurements from

PLC/sensors and issue commands to actuators.

Introduction

2

Data Aggregation

• Master ensures data exchange with the slaves (field

controller) by means of cyclic polling.

• Data collected at the field controller can be aggregated.

3

An Example ICS Architecture

[Siemens]

4

Integrity of Sensor Data

fd1 fd2 fd3 fd4 fd5 fd6

field devices

field controllers

ms1 ms2 ms3 ms4 ms5 ms6

…

…

{ms1 , ms2 , ms3} {ms4 , ms5 , ms6}

Central controller Vulnerabilities

fraud

selectively reporting

single point of failure

(m’s1, m’s2, m’s3)

• Data Integrity – the measurements on the field devices must

reflect the current state of the instruments in the plant.

modification and tampering.

• Data Origin Authentication – important to ensure that

measurements are taken using the designated field devices.

spoofing

• Secure Data Aggregation – though data are aggregated to

save bandwidth, the central controller (Back End Master) must have

the ability to check the integrity and data origin.

integrity data origin

5

Security Requirements

• Chameleon Hashing

– Hash function with a trapdoor for finding collusion.

– Associated with a pair of public-private key.

– Private-key serves as the trapdoor.

• Properties

– Chameleon Hash Value [CHV] = CHA_HASH(y, m, r).

– given trapdoor x, find a collision [m’, r’] where m’ ≠ m and r’ ≠ r.

– Hence [CHV] = CHA_HASH(y, m’, r’).

• Chameleon Signature

– Apply traditional signature, e.g., DSA, RSA, ECC to Chameleon

Hash.

Background: Chameleon Hashing

6

System Setup

Trapdoor Hash Key

(x)

Trapdoor Chameleon

Hash Function

Chameleon

Hash Function

Chameleon

Hash Function

Chameleon Hash Key

(y)

Chameleon Hash Key

(y)

Secure Channel Secure Channel

Device ID

(Idfd)

Field Devices Field Controllers Back-end

7

Key Generation

• Krawczyk and Rabin’s discrete logarithm construction

– Two primes p and q are randomly generated such that p = kq+1

where q is a large prime factor.

• An element g of order q in p* is chosen so that the

private key, x p*. The public-key, y is generated as

y = gx mod p

8

Chameleon Hash Key

Generation of Chameleon Hash

• Given a message m p*, choose a random value

r p*, the Chameleon Hash denoted as CHV can be

computed as:

CHA_Hash(m,r) = gm yr mod p

• Only the field devices have the ability to produce the same

Chameleon Hash using a different message, m’ such that

CHA_Hash(m,r) = CHA_HASH(m’,r’) by solving r’

m + xr = m’ + xr’ mod p

9

Chameleon Hashing

Protocol Overview

fd1

fd2

fd3

Phase 1:

divide the time into intervals

m21 {m11, m21, m31} Verification

Store

Readings

Process

Control

aggregated data integrity 10

Field Devices Field Controller Back-end

Protocol Overview

fd1

fd2

fd3

Phase 2:

After t sessions in each interval Process

Control

{m11, m12,…, m1t}

{m21, m22,…, m2t}

{m31, m32,…, m3t}

Verification

Verification

Verification

end-to-end data authentication & integrity 11

Field Devices Back-end

fd1 fd2 fd3 CHV

Secure End-to-End

Data Aggregation

fd1

fd2

fd3

m2,1

AggData1 = {m1,1, m2,1, m3,1,… }

CHV1 = CHA_HASH(AggData1, r1)

SEC_MSGfc,1 = SIGN(Privfc, CHV1)

SEC_MSGfc,1, AggData1

ACK: r1

Verify

Signature

m1,1 m2,1 m3,1 CHV1

Phase 1: interval 1:Session 1 12

Field Devices Field Controller Back-end

Secure End-to-End

Data Aggregation

fd1

fd2

fd3

m2,2

AggData2 = {m1,2, m2,2, m3,2,… }

CHV2 = CHA_HASH(AggData2, r2)

SEC_MSGcc,2 = SIGN(Privcc, CHV2)

SEC_MSGfc,2, AggData2

ACK: r2

Verify

Signature

fd1 fd2 fd3 CHV

m1,2 m2,2 m3,2 CHV2

m1,1 m2,1 m3,1 CHV1

Phase 1: interval 1: Session 2 13

Field Devices Field Controller Back-end

14

Phase 1: Protocol Summary

Transmission of Evidence

• Time is divided into intervals, where each interval consists

of t sessions.

• At the end of each interval, field devices choose an rv

where 1 ≤ v ≤ t , so that

CHA_HASH(m’i, r’i) = CHA_HASH(AggDatav, rv)

• m’ denotes all the readings recorded by the field device i

in the interval {Idfd,i, mi,1, mi,2, …, mi,t}

15

Phase 2: E2E Integrity Verification

Transmission of Evidence

• To verify this, we need to solve r’i

r’i mod p = (AggDatav + xrv – m’)x-1 mod p

• However, field devices do not know AggDatav (sent by the

field controller). Instead they can compute a commitment

that allows the back-end to verify integrity and

authenticity.

y-x mod p yxrv(-x)

, ym’(-x)

16

mod p

Delayed-Integrity-Verification

Field Devices Back-end

fd1

fd2

fd3

fd1,commitment Verify

Hash

fd1 fd2 fd3 CHV

m1,2 m2,2 m3,2 CHV2

m1,1 m2,1 m3,1 CHV1

r1 r2 r3 …

m1,3 m2,3 m3,3 CHV3

Any e.g., using r1

IDfd,1

CHV1

√

Delayed-Integrity-Verification

Phase 2 17

m’ = {IDfd,i, m1,1, m1,2 , m1,3, …}

Find a collision (m’, r’)

m’ = {IDfd,1, m1,1, m1,2 , m1,3…}

commitment:

y-x mod p

yxr1(-x)

ym’(-x) mod p

Integrity Verification

• We need to solve this:

r’i mod p = (AggDatav + xrv – m’)x-1 mod p

• But, essentially we want to compute CHA_HASH(m’,r’),

so we need yr’i mod p, which is

y(-x)AggDatav x

18

yxrv(-x)

ym’(-x) mod p

commitment

fd1 fd2 fd3 CHV

m1,2 m2,2 m3,2 CHV2

m1,1 m2,1 m3,1 CHV1

m1,3 m2,3 m3,3 CHV3

IDfd,1

Delayed-Integrity-Verification

• Prototype was implemented using Java, and deployed on

Raspberry Pi Model B+

– CPU: 700 MHz Low Power ARM processor

– Memory: 512 MB

• Preliminary performance results

19

Prototype Implementation

Device Operation Time (ms)

Controller Chameleon Hashing 0.955955 (PC)

Field Device Generation of

Commitment

111.6 (Pi)

Back End Integrity Verification 2.288591 (PC)

Field Device Signature generation 5830 (Pi)

• Our scheme provides:

– Data Integrity

– Data Origin Authentication

– Secure Data Aggregation

• Novel use of Chameleon Hashing and Signature other

than its traditional usage, to detect misbehaviour of

controllers or aggregators in ICS/SCADA.

• Future work:

– Implement the protocol on real hardware or ICS platform.

– Protocol can be generalized to be used in AMI, body sensor

network, or any network with a hierarchical structure.

Conclusions

20

Thank You

Sye-Loong Keoh

School of Computing Science

University of Glasgow

SyeLoong.Keoh@glasgow.ac.uk

21